Game over? Europe's cyber problem

The EU knows that a cyber war is happening, but not how to fight it. To be up to speed, the bloc needs to update its cyber security plans.

The EU’s cyber security plans have been in the spotlight since a series of high profile cyber attacks hit Europe in 2017. But very few people understand what a cyber war really is, how to fight cyber crime and what role, if any, the EU has in all this.

Europe’s cyber security strategy covers two things: cyber crime, such as online fraud; and cyber attacks, for instance hacking into a nuclear plant. Cyber crime is lucrative, and is expanding rapidly. Cyber attacks have become one of the weapons of choice of governments and criminal organisations around the world. Both cyber threats can come from state and non-state actors.

The EU has been good at dealing with cyber crime, by doing what it does best: passing laws. But Europe’s ability to prevent and respond to cyber attacks lags behind the offensive cyber capabilities of adversaries like Russia and North Korea.

Nobody expects the EU to respond directly to a cyber attack, as only national governments can do this. But Brussels could be doing more to boost Europe’s cyber security.

There is a gap between the EU’s ambitions and its capabilities in cyber security and defence. This gap has resulted in three main problems.

First, obtaining digital evidence in cross-border cases is still difficult, both within Europe and outside. This matters because in the borderless world of the internet, vast amounts of European citizens’ data sit outside the EU, notably in the US, but also in countries such as China or India.

Second, while cyber attacks are on the rise worldwide, the EU is just waking up to the threat and is still deciding what to do about it – and, most importantly, which institutions should be in charge. At the moment, the EU lacks the resources to understand and fight a cyber war.

Third, NATO, the EU and the US are still trying to agree on a strategy to respond to cyber attacks, when they can be considered an ‘act of war’. There is no agreement on whether or not collective defence should be permissible against non-state actors. Western countries also struggle to agree on ground rules to respond to state-sponsored cyber attacks.

There is no simple solution to solve Europe’s cyber problems. But there are some modest steps the bloc could take to improve its cyber security.

The EU should consider new proposals to facilitate the sharing of electronic evidence both within and outside the EU. The Commission’s recent plans to allow member-states to ask companies directly for evidence are unlikely to be agreed in their current shape and do not solve the problem of transatlantic data exchange. The EU could consider replacing current EU-US agreements with a more efficient treaty on digital evidence, and also conclude deals with other countries.

The EU should encourage member-states to invest more in cyber security, and co-ordinate their response to major cyber attacks, for example by clearly determining when economic sanctions may be allowed, who should be responsible for implementing them and under which circumstances.

Brussels should also step up its efforts to understand the cyber threats it is facing so it can better support member-states in their attempts to counter them. For this, the next European Commission could set up a task force from all the relevant departments of the Commission, to advise it on cyber issues.

Finally, Europe and the West should work with technology companies to develop a set of ground rules to define and help attribute cyber attacks.

The EU is at a disadvantage because the cyber world’s bad actors – unlike the Union – know what they are doing. The challenge for the EU is to learn how to beat these international cyber villains before the next major cyber attack puts Europe’s economy and the physical security of its citizens at risk.

This paper is the second in a series for a Centre for European Reform/Open Society European Policy Institute commission on EU justice and home affairs policy, which is being led by former Italian prime minister Giuliano Amato. Its purpose is not to argue for particular policies, which the commissioners will do themselves in their final report, but rather to provide an overview of the state of the debate, and evidence for the commissioners to consider in their deliberations.